Enhanced API management: multiple API keys, rights

AFAIK you can use the API w/o any auth for non security related access aka read only und non-sensitiv. To access the sensitive info and to edit something (e.g. disable filtering) you need to use the API key. But there is only one API key.

In case of a security breach you need to reset the key and alter all of the places where it was used. You cannot easy tell which instance was compromised or which instance went nuts via the API key.

The following changes will enhance this:

  1. multiple API keys
  2. detailed rights management for API keys (access to specific commands: deny, to, rw)
  3. option to disable public API access

This is a hash of the password you have set for the Pi-hole admin interface. There is one password, thus one key.

How many instances/applications are using your API key?

Perhaps I don't fully understand your feature request.

OK, that's simple.

Currently I do use two Apps on Android. In the future I do consider creating a toggle switch in my homeautomation (openHAB).

I fully understand that this request is not #1 prio, but you might consider it in the future. May when a rewrite of that section occurs :slight_smile:

Yes, we'll keep this in mind. Thanks!

1 Like

Pi-hole v6.0 is rewriting the API from scratch. However, a role-management system will surely make things a lot more complicated.

Your request is to

  1. allow multiple passwords with different powers
  2. allow fine-grained permissions for each of these passwords
  3. allow to disable API access at all without password

right?

1 Like

If the api keys are still a hash of a password, then you are right :slight_smile:

I guess in the end it boils down to

If the api keys are still a hash of a password, then you are right too :slight_smile: